[LINK] Super fund security breach lands good Samaritan in hot water

Craig Sanders cas at taz.net.au
Tue Oct 25 19:59:05 AEDT 2011

On Thu, Oct 20, 2011 at 06:30:38PM +1100, Jan Whitaker wrote:
> New article: - Note the finger pointing - Yes we did, no you didn't!
> Claims First State Super flaw ignored for 'years'
>   Asher Moses
>   October 20, 2011 - 12:09PM
> [...]
> This exposed members - predominantly public servants including 
> police, politicians and magistrates - to identity theft due to the 
> sensitivity of the personal details that were revealed, including 
> full names, addresses, email addresses, membership number, age, 
> insurance information, superannuation amount, fund allocations, 
> beneficiaries and employer information.

tax file numbers too?

> But the former Pillar IT staff member said there ''no controls that 
> produce security or privacy alerts'', and the only alerts that were 
> produced were technical system errors.
> ''Access to statements are logged ... however, the fact that another 
> member A accesses the statement of member B does not trigger an 
> 'alert' - so that part is total rubbish,'' the Pillar source said.
> One First State customer who contacted Fairfax Media said they 
> stumbled across the security flaw while checking their statement more 
> than 18 months ago. ''I discovered the problem completely by 
> accident,'' the customer said.
> Dwyer did not return calls this morning. But Pillar this morning 
> insisted that the company has for years been set up to receive alerts 
> when a member accessed another member's statement. Pillar said the 
> source was a ''disenfranchised employee making ridiculous claims''.

firstly, it makes no sense to merely send an alert about a known
security problem like this rather than just fix it (and it doesn't seem
likely to me that failing to fix the known problem would be legal),

does this Dwyer realise that his pretty unconvincing denial is actually
admitting that they knew about the flaw and DID NOTHING TO FIX IT?
That it's admitting that they knowingly allowed their system to grant
unauthorised access to confidential and protected personal information?

> ''When Webster hacked into the annual statements we got an error or
> an alert ... because of this we went back in our logs for nearly two
> years because that's when this code was first introduced and there
> were no technical alerts that were of the same nature,'' the spokesman
> said.

slimy weasel-words - he's trying to imply that web server access logs
are an "alert".

no, they're not. they're logs. you can write programs to analyse logs
and send alert messages via email or pager or whatever if it detects
unusual or exploitative behaviour, but logs in themselves are NOT
alerts. unless they're analysed or someone looks at them they're almost
entirely useless.

and again, why just detect known exploits rather than fix the problem,
which they've already stated was so trivial to fix that "...we fixed
this thing in a matter of hours..."

in short:

 - they have admitted that they knew about the problem "for years"
 - the fix was trivial, and was (finally) implemented in a matter of hours
 - they didn't bother to fix it until media attention was on the issue

IMO, I can't see any other conclusion than that they're guilty of
criminal negligence.


craig sanders <cas at taz.net.au>

BOFH excuse #391:

We already sent around a notice about that.

More information about the Link mailing list